b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n         Better Monitoring and Enhanced \n\n        Technical Controls Are Needed to \n\n            Effectively Manage LAN-A \n\n\n                   (Redacted)\n\n\n\n\n\nOIG-09-55                               April 2009\n\x0c                                                             Office of Inspector General\n\n                                                             U.S. Department of Homeland Security\n                                                             Washington, DC 20528\n\n\n\n\n                                      April 10, 2009\n\n\n                                          Preface\n\nThe Department of Homeland Security (DHS), Office of Inspector General, was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThis report addresses the strengths and weaknesses of DHS\xe2\x80\x99 management of its\nheadquarters network, known as LAN-A. It is based on interviews with selected officials\nand contractor personnel, direct observations, technical scans, and a review of applicable\ndocuments.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                      Richard L. Skinner \n\n                                      Inspector General \n\n\x0cTable of Contents/Abbreviations \n\nExecutive Summary ................................................................................................................1\n\n\nBackground .............................................................................................................................2\n\n\nResults of Audit ......................................................................................................................4\n\n   OCIO Has Taken Initial Steps to Improve LAN-A Management ....................................4 \n\n   Additional Monitoring Is Needed To Administer LAN-A IT Contract Services .............4 \n\n   Recommendations.............................................................................................................8 \n\n   Management Comments and OIG Analysis .....................................................................8 \n\n\n     Enhancements Can Be Made in LAN-A Technical Controls .........................................10 \n\n     Recommendations...........................................................................................................14 \n\n     Management Comments and OIG Analysis ...................................................................14 \n\n\n     Compliance with DHS Information Security Program...................................................16 \n\n     Recommendations...........................................................................................................18 \n\n     Management Comments and OIG Analysis ...................................................................18 \n\n\nAppendices\n    Appendix A:          Purpose, Scope, and Methodology............................................................20 \n\n    Appendix B:          Management Comments to the Draft Report ............................................21 \n\n    Appendix C:          Major Contributors to this Report .............................................................25 \n\n    Appendix D:          Report Distribution....................................................................................26 \n\n\nAbbreviations\n     ATO                 Authority to operate\n     CO                  Contracting Officers\n     CONOPS              Concept of Operations\n     COTR                Contracting Officer Technical Representatives\n     DAA                 Designated Accreditation Authority or Designated Approving Authority\n     DHS                 Department of Homeland Security\n     FISMA               Federal Information Security Management Act\n     FY                  Fiscal Year\n     IT                  Information Technology\n     ITAC                Information Technology Acquisitions Center\n     ITMS                Information Technology Management Services\n     IT-NOVA             Information Technology Network Operations Virtual Alliance\n     ITSO                Information Technology Services Office\n     NIST                National Institute of Standards and Technology\n     O&M                 Operations and Maintenance\n\x0cTable of Contents/Abbreviations \n\n  OCIO     Office of Chief Information Officer\n  OCPO     Office of Chief Procurement Officer\n  PAR      Privilege Account Request\n  POA&Ms   Plan of Action and Milestones\n  PRISM    Purchase Request Information System\n  SLA      Service Level Agreements\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                       LAN-A is the Department of Homeland Security (DHS)\n                       unclassified headquarters\xe2\x80\x99 network. The network provides email\n                       and data communication services for all headquarters personnel in\n                       the Washington, DC, metropolitan area. In mid 2007, DHS\n                       consolidated services from several information technology (IT)\n                       related contracts into the Information Technology Network\n                       Operations Virtual Alliance (IT-NOVA) to help it manage LAN-A\n                       more effectively.\n\n                       We evaluated network operations to determine whether DHS is\n                       effectively managing LAN-A. In addressing our objective, we\n                       determined whether the contractor has provided adequate support\n                       services in accordance with the contract terms; effective system\n                       controls have been implemented to protect the network; and\n                       program officials have ensured that LAN-A was certified and\n                       accredited in accordance with DHS information security policy.\n\n                       Overall, DHS has implemented effective system controls to protect\n                       the information stored and processed by the system. For example,\n                       DHS ensures that patch management and vulnerability assessments\n                       are performed periodically on LAN-A. In assessing the controls\n                       that have been implemented, we identified only a few missing\n                       security patches. In addition, audit trails were enabled on servers,\n                       workstations, and routers. Finally, the IT-NOVA Operations and\n                       Maintenance (O&M) contractor has established an IT Service Desk\n                       to provide 24 hour end users support.\n\n                       However, additional monitoring of the contract is needed to ensure\n                       that the contractor is providing adequate services and the required\n                       deliverables. In addition, DHS can make improvements in\n                       managing its privileged and                     applying security\n                       patches,                                         Finally, DHS must\n                       ensure that LAN-A is reaccredited according to applicable\n                       guidance, and that the required security documents are developed\n                       and continuously updated.\n\n\n     Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A \n\n\n                                              Page 1 \n\n\x0c                          We are making 10 recommendations to the Under Secretary for\n                          Management and Chief Information Officer. The department\n                          concurred with our recommendations and has already begun to\n                          take actions to implement them. The department\xe2\x80\x99s response is\n                          summarized and evaluated in the body of this report and included,\n                          in its entirety, as Appendix B.\n\nBackground\n                          LAN-A, DHS\xe2\x80\x99 unclassified network, provides email and data\n                          communication services for all headquarters personnel in the\n                          Washington, DC, metropolitan area. The IT Services Office\n                          (ITSO) within the Office of the Chief Information Officer (OCIO)\n                          is responsible for maintaining the network. Most LAN-A users are\n                          from headquarters components and offices, such as Domestic\n                          Nuclear Detection, Management, National Protection and\n                          Programs, and Science and Technology.\n\n                          In June 2006, LAN-A was compromised when malicious software\n                          was installed on 150 of DHS\xe2\x80\x99 workstations.1 Subsequent reviews,\n                          including a congressional investigation, revealed that the LAN-A\n                          contractor had not fulfilled its responsibilities to install security\n                          devices or elevate security incidents to DHS officials.\n                          Specifically, investigators found that the contractor had installed\n                          only three of the required seven intrusion detection devices at the\n                          time of the compromise.\n\n                          Following this incident, in mid-2007, the department consolidated\n                          services from several IT-related contracts into IT-NOVA. DHS\n                          awarded two task orders under IT-NOVA:                       was\n                          awarded an O&M task order and\n                               was awarded a Project Management Office task order.\n                          During this audit, we focused on reviewing the IT services and\n                          contractor performance provided under the IT-NOVA O&M task\n                          order.\n\n                          The IT-NOVA O&M task order included a full range of IT support\n                          services. A list of task order components and services is shown in\n                          Figure 1. Specifically,                  was tasked with\n                          providing support for all network services, including user support\n                          and security monitoring.\n\n\n1\n  Malicious software is a general term for programs that, when executed, cause undesired results on a\nsystem. The malicious software used in this attack sent unclassified data from DHS\xe2\x80\x99 systems to Chinese\nlanguage websites.\n\n       Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                                 Page 2\n\x0c                  Figure 1: IT-NOVA O&M Task Order Support Services\n\n\n\n\n                          Applica ion                              Infrastructure            End\n                                                 Deployment\n                         Management                                 Engineering              User\n                                                  Support\n                           Services                                   Services              Support\n\n\n\n\n                         File and data          Deployment plans   Server and              Work flow\n                         storage                Network diagrams   storage device          descriptions\n                         Printing               Equipment          management              Helpdesk services\n                         Remote access          inventories        Client                  Preventa ive\n                         Messaging              Equipment          configuration           maintenance plan\n                         services               installation       management\n                         Upgrades and                              Local area network\n                         updates                                   management\n                         Security patches\n\n\n\n\n                  The IT-NOVA task order is managed by two offices within the\n                  Management Directorate. The technical oversight of the task order\n                  is provided by the ITSO. Contracting and procurement oversight\n                  for IT-NOVA are provided by staff from the Office of Chief\n                  Procurement Officer (OCPO) IT Acquisitions Center (ITAC).\n                  Figure 2 outlines the IT-NOVA management structure, including\n                  the OCIO, ITSO, OCPO, and ITAC.\n\n                  Figure 2: IT-NOVA Management Structure\n\n\n\n\nBetter Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                            Page 3\n\x0cResults of Audit\nOCIO Has Taken Initial Steps to Improve LAN-A Management\n                      OCIO has taken some positive steps to improve LAN-A\n                      management and security. For example, patch management and\n                      vulnerability assessments are being performed periodically on\n                      LAN-A. These actions help to identify and mitigate network\n                      security vulnerabilities. During our security testing, security\n                      patches were being applied. In addition, audit trails recording user\n                      login activities were enabled on servers, workstations, and routers.\n\n                      Furthermore, the O&M contractor has established an IT Service\n                      Desk to provide 24 hour user support for applications and network\n                      services. The IT Service Desk has maintained customer service\n                      satisfaction levels above 90% for August, September, and\n                      October 2008.\n\n                      These actions have improved the security and reliability of\n                      LAN-A. Yet, DHS can make further improvements to effectively\n                      manage the network. For example, additional monitoring of\n                      contractor performance is needed to effectively administer the\n                      IT-NOVA task order. In addition, DHS needs to ensure that\n                      detailed procedures for IT and security related activities are\n                      documented. Furthermore, improvements can be made in technical\n                      controls to strengthen the network\xe2\x80\x99s information security. Finally,\n                      DHS must ensure that security documents are updated prior to\n                      re-certifying and accrediting LAN-A.\n\nAdditional Monitoring Is Needed to Administer LAN-A IT Contract\nServices\n                      OCIO is not effectively administering the O&M contract\n                      requirements. For example, OCIO has not provided clear guidance\n                      and exercised sufficient oversight necessary to ensure that the\n                      contractor has delivered the full range of IT services and related\n                      documentation required by the contract. Furthermore, OCIO has\n                      not taken the actions needed to address and correct deficiencies\n                      identified in the contractor\xe2\x80\x99s performance. As a result, certain\n                      contract service requirements have not been met.\n\n\n\n\n    Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                            Page 4\n\x0c                  O&M Contract Administration Issues\n\n                  OCIO has not defined its responsibilities for LAN-A program\n                  management oversight, including communication with the\n                  contractor to ensure that the contractor provides adequate IT\n                  support to users. In addition, OCIO has faced challenges\n                  coordinating the work of various contractors within ITSO. This\n                  has led to contractor delays in troubleshooting LAN-A problems\n                  related to its network and applications, and in responding to user\n                  requests.\n\n                  Furthermore, OCIO has not ensured that the contractor receives\n                  tasking direction only from authorized contracting officials. We\n                  identified instances where senior program officials, who have not\n                  been given contractual authority, have instructed contractor\n                  personnel to perform services that are not in accordance with the\n                  terms stated in the task order.\n\n                  The need for additional staff at OCIO has contributed to the\n                  insufficient coordination between various contractor efforts or\n                  responding to users\xe2\x80\x99 issues timely. Specifically, the Director of the\n                  Headquarters Services division estimated that the division requires\n                  twice as many staff members to manage the size and scope of\n                  services under the IT-NOVA task order. Due to inadequate\n                  monitoring and oversight, there have also been delays in\n                  authorizing task order payments and providing technical support\n                  services that had not been authorized by the proper personnel.\n\n                  OCIO Has Not Provided Clear Guidance and Defined\n                  Reporting Requirements\n\n                  OCIO has not provided guidance to the contractor regarding the\n                  content and details that should be included in the contractor\xe2\x80\x99s\n                  monthly LAN-A performance and quality control reports. As a\n                  result, the contractor has not been providing these monthly reports.\n                  Without these reports, OCIO does not have the necessary\n                  information to evaluate contractor performance.\n\n                  Beginning in June 2008, the IT-NOVA O&M task order required\n                  that the contractor provide monthly performance summary reports\n                  containing information on the dates, times, and duration of outages\n                  or service interruptions on DHS applications, network\n                  environments, and databases. In addition to the monthly\n                  performance reports, the contractor agreed to provide the\n                  department with a monthly quality control plan. The quality\n\nBetter Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                        Page 5\n\x0c                          control plan describes how the contractor will control the\n                          equipment, systems, or services in order to meet the task order\n                          requirements. The plan would then be used as the basis for the\n                          monthly quality control reports. OCIO did not immediately\n                          approve the quality control plan that was submitted in May 2008.\n                          Furthermore, since OCIO had not provided clear guidance on the\n                          content to be included in the monthly reports, at the request of\n                          OCPO, the contractor suspended providing this information to the\n                          department.\n\n                          In December 2008, we informed OCIO that the department was\n                          not receiving the information needed to properly evaluate and\n                          monitor contract performance as it relates to LAN-A. Subsequent\n                          to that meeting, a procurement official informed us that the quality\n                          control plan was approved by OCIO. Additionally, both OCIO and\n                          the contractor agreed on the content for the monthly reports. The\n                          contractor is to begin submitting future monthly performance\n                          summary and quality control reports starting in January 2009.\n\n                          OCIO Has Not Responded to LAN-A Contractor Performance\n                          Deficiencies\n\n                          OCIO has not timely responded to contractor deficiencies\n                          identified. Specifically, OCIO officials have not ensured that the\n                          deficiencies identified in contractor service support are being\n                          addressed.\n\n                          On April 17, 2008, the contracting officer issued a quality\n                          discrepancy report,2 which outlined issues regarding the\n                          performance of the O&M contractor. The quality discrepancy\n                          report identified that the contractor had not met all service\n                          requirements for the IT Service Desk and had not appointed the\n                          necessary senior staff to the engineering, operations, and\n                          applications areas. This formal report required the contractor to\n                          address the identified deficiencies and respond with a proposed\n                          corrective action plan within 10 days.\n\n                          On May 1, 2008, the contractor responded with an action plan and\n                          requested a meeting with OCIO to discuss its response. On\n                          June 11, 2008, the contracting officer tasked OCIO staff, including\n                          the contracting officer technical representative, to review and\n                          respond to the contractor\xe2\x80\x99s action plan by June 16, 2008. OCIO,\n2\n  A quality discrepancy report is a formal notification from the contracting officer to the contractor\nregarding contractual performance. The report allows the contractor an opportunity to correct or replace\nnonconforming services or supplies.\n\n        Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                                  Page 6\n\x0c                         however, never responded to the contractor\xe2\x80\x99s action plan. In a\n                         follow-up meeting on June 19, 2008, the contracting officer\n                         decided to close the performance deficiencies identified without\n                         further recourse.\n\n                         In addition to the deficiencies noted in the quality deficiency\n                         report, we determined that the contractor has not documented the\n                         processes and procedures for IT and information security activities.\n                         For example, the contractor was required to develop a\n                         comprehensive concept of operations (CONOPS) with documented\n                         processes and procedures for the IT Service Desk. We determined\n                         that the CONOPS developed has not met all the requirements, as\n                         noted in Figure 3.\n\n                         Figure 3: IT Service Desk Operations\n\n\n                                            Service Desk Concept of Operations\n                                             Requirements and Documentation\n\n                              Task order Requirements for           Current CONOPS Contents\n                                       CONOPS                              (10/15/2008)\n                              \xe2\x80\xa2Organizational chart                \xe2\x80\xa2Organizational roles and\n                                                                   responsibilities\n                              \xe2\x80\xa2Work flow\n                                                                   \xe2\x80\xa2Work flow\n                              \xe2\x80\xa2Detailed description of\n                              processes, procedures, and\n                              policies\n                              \xe2\x80\xa2Work breakdown structure\n                              \xe2\x80\xa2Detailed performance metrics\n                              and evaluation criteria\n\n\n\n                         Due to staffing shortages, OCIO has not been able to adequately\n                         monitor the O&M contractor requirements, perform its program\n                         management oversight functions or properly evaluate contractor\n                         performance. As of September 2008, ITSO had staffed only 60%\n                         of its available federal positions. OCIO officials recognize that\n                         staffing shortages for federal positions remain an issue for ITSO.\n                         Further, we reported that DHS faced significant challenges in\n                         establishing an effective IT management structure to oversee IT\n                         resources.3 Without sufficient monitoring, oversight, and staffing,\n                         there is little assurance that the O&M service support provided for\n                         LAN-A is adequate.\n\n3\n Progress Made in Strengthening DHS Information Technology Management, But Challenges Remain,\ndated September 2008 (OIG-08-91).\n\n       Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                                Page 7\n\x0c         Recommendations\n         We recommend that the Under Secretary for Management direct the Chief\n         Information Officer to:\n\n                  Recommendation #1: Strengthen the department\xe2\x80\x99s monitoring\n                  oversight of the O&M contractor to ensure that services are\n                  provided in accordance with the task order.\n\n                  Recommendation #2: Obtain required monthly reports and the IT\n                  Service Desk procedures from the O&M contractor.\n\n                  Recommendation #3: Take steps to ensure that only personnel\n                  with appropriate contractual responsibility can provide direction to\n                  the contractor to perform its tasks; and provide clear and sufficient\n                  guidance to the contractor to perform its services.\n\n                  Recommendation #4: Address the deficiencies identified in the\n                  contractor\xe2\x80\x99s performance.\n\n         Management Comments and OIG Analysis\n                  DHS concurred with recommendation 1. DHS agreed that the\n                  department must strengthen its oversight of the O&M contractor\n                  and ensure contractual obligations are adequately met. DHS has\n                  developed Service Level Agreements (SLAs) for contractor\n                  performance, and updated the department\xe2\x80\x99s current practices to\n                  monitor and evaluate contractor performance. DHS will negotiate\n                  with the contractor to add SLAs and enhanced service metrics,\n                  aimed at tracking and improving the contractor\xe2\x80\x99s performance.\n                  DHS anticipates completing the negotiations and having the SLAs\n                  added to the contract by the third quarter of FY 2009.\n\n                  We agree that the steps DHS are taking, and plans to take, begin to\n                  satisfy this recommendation.\n\n                  DHS concurred with recommendation 2. DHS agreed that the\n                  required monthly deliverables must be consistently submitted,\n                  reviewed, and approved by government staff. The department\n                  acknowledged that this requirement has not been occurring on a\n                  consistent basis. Furthermore, DHS agreed that when the\n                  contractor is unable to provide a required deliverable, it must be\n                  documented in a performance deficiency letter and followed up\n                  with to ensure swift resolution. The contractor has drafted a\n\nBetter Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                        Page 8\n\x0c                  CONOPS for the IT service desk. DHS will complete its review\n                  within 30 days of their response to either accept or reject these\n                  standard operating procedures. Finally, OCIO will make monthly\n                  on-site monitoring visits to ensure daily and weekly monitoring\n                  and reporting for effectiveness and to solicit feedback from the\n                  stakeholder for contractor performance.\n\n                  We agree that the steps DHS are taking, and plans to take, begin to\n                  satisfy this recommendation.\n\n                  DHS concurred with recommendation 3. DHS agreed that the\n                  department must adhere to the Federal Acquisition Regulation to\n                  ensure that only Contracting Officers (CO) and Contracting Officer\n                  Technical Representatives (COTR) provide direction to contractor\n                  personnel to perform its tasks. Immediately, DHS will strengthen\n                  its oversight to ensure that only authorized government personnel\n                  with contractual responsibilities, i.e., CO, COTR, can provide\n                  direction to contractor personnel. DHS will review all deliverables\n                  to monitor the process and ensure contractor compliance. In\n                  addition, the department will ensure that only authorized\n                  personnel, i.e., CO, COTR, can commit DHS to any type of\n                  contractual obligation and only to the extent of their delegated\n                  authority. Personnel responsible for contracts shall maintain a\n                  close and continuous relationship with the CO to ensure that\n                  acquisition personnel are made aware of contemplated acquisition\n                  actions. DHS believes that these changes will improve the\n                  department\xe2\x80\x99s planning for acquisition action and provide more\n                  timely, efficient economical acquisition, and contractor oversight.\n                  Finally, DHS acknowledged that personnel who are not delegated\n                  contracting authority or insufficient contracting authority shall not\n                  commit the Government, formally or informally, to any type of\n                  contractual obligation. All OCIO personnel were scheduled to\n                  receive a briefing on the responsibility of government contractual\n                  personnel by February 19, 2009.\n\n                  We agree that the steps DHS are taking, and plans to take, begin to\n                  satisfy this recommendation.\n\n                  DHS concurred with recommendation 4. DHS agreed that the\n                  department must follow-up on the deficiencies identified\n                  throughout contractor performance in a timely and thorough\n                  manner. To improve the quality and efficiency of the department\xe2\x80\x99s\n                  monitoring process, DHS will conduct monthly reviews with the\n                  contractor\xe2\x80\x99s senior management and document deficiencies for\n                  future actions.\n\nBetter Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                        Page 9\n\x0c                      We agree that the steps DHS are taking, and plans to take, begin to\n                      satisfy this recommendation.\n\nEnhancements Can Be Made in LAN-A Technical Controls\n                      OCIO does not have an effective process to manage its LAN-A\n                      privileged accounts or ensure that security patches are deployed on\n                      applications. For example, OCIO has not defined the system\n                      administrators\xe2\x80\x99 responsibilities for deploying security patches.\n\n\n                                          As a result, there is greater risk that security\n                      controls implemented to protect LAN-A may be circumvented.\n\n                      Privileged Accounts Are Not Properly Managed and\n                      Maintained\n\n                      OCIO does not have an effective process to manage its LAN-A\n                      privileged accounts to ensure that only those authorized to perform\n                      administration duties have the appropriate permissions. Privileged\n                      accounts are those having elevated access permissions only granted\n                      to system administrators to perform their network related job\n                      functions. When the privileged accounts are not properly\n                      managed, it may allow malicious users the capability to bypass\n                      security features and have unmonitored access to system\n                      configuration settings and data.\n\n\n\n\n                               To request elevated access permissions, users are required\n                      to complete an access request form. The form is then routed to\n                      appropriate personnel for review and approval. Once the request\n                      has been approved, users are assigned to the groups to perform\n                      their network related functions.\n\n\n\n\n    Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                            Page 10\n\x0c                  While OCIO has established a process for requesting and granting\n                  elevated access permissions, this process has not been fully\n                  implemented. For example:\n\n                      \xef\xbf\xbd\n\n\n\n                                                                                As of\n                           November 2008,\n                                                  accounts have been granted to\n                           contractors who manage LAN-A\n\n\n\n                      \xef\xbf\xbd\t   A domain administrator was granted enterprise \n\n                           administrator access \n\n\n                                       This assignment of permissions, done without\n                           documented management approval, circumvents the access\n                           permission request process and\n\n                                              Since no documented approval and audit\n                           trails were available, we could not determine who modified\n                           the group policy to grant domain administrator higher\n                           access permission.\n\n\n\n\n                      \xef\xbf\xbd\n\n\n\n\n                      \xef\xbf\xbd\n\n\n\n\nBetter Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                        Page 11\n\x0c                      \xef\xbf\xbd\n\n\n\n\n                  Elevated account access, such as that granted to system\n                  administrators, must be managed properly to prevent unauthorized\n                  access to LAN-A. Poor management and maintenance of\n                  privileged accounts may increase the risks of individuals exploiting\n                  these accounts to gain unauthorized access to the network and\n                  DHS assets.\n\n\n\n\n                                                     Further, while audit trails are\n                  enabled on routers, servers, and workstations,\n\n\n\n\n                  Documented LAN-A Patch Management Process Has Not Been\n                  Established\n\n                  While security patches were applied to servers and workstations,\n                  DHS does not have documentation outlining specific duties, roles,\n                  and responsibilities regarding the LAN-A patch management\n                  program. Documented procedures can ensure that security patches\n                  are deployed in a consistent manner.\n\n\n\nBetter Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                        Page 12\n\x0c                                                      on a monthly basis. Security\n                  patches are tested and evaluated before they are deployed\n\n                                      to verify that security patches have been\n                  deployed.\n\n\n                  To evaluate the patch management process for LAN-A, we\n                  interviewed administrator personnel, examined documentation, and\n                  performed vulnerability testing on a sample of servers,\n                  workstations, and network devices. Of the 453 LAN-A devices\n                  that were tested, we identified the following high-risk\n                  vulnerabilities that may be exploited if they are not properly\n                  mitigated:\n\n                      \xef\xbf\xbd\n\n\n\n                      \xef\xbf\xbd\n\n                      \xef\xbf\xbd\n\n\n\n                      \xef\xbf\xbd\n\n\n\n                      \xef\xbf\xbd\n\n\n\n\n                  DHS requires that security patches be installed in a timely and\n                  expeditious manner. The National Institute of Standards and\n                  Technology (NIST) also recommends that agencies have an\n                  explicit and documented patching and vulnerability policy as well\n                  as a systematic, accountable, and documented set of processes and\n                  procedures for handling patches. Documented procedures should\n                  specify the techniques an agency will use to monitor for new\n                  patches and vulnerabilities and the personnel responsible for such\n                  monitoring.\n\n\nBetter Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                        Page 13\n\x0c                  Without a documented patch management process to support the\n                  security program for LAN-A, DHS cannot ensure that all\n                  vulnerabilities have been mitigated to prevent malicious users from\n                  gaining uncontrolled access to LAN-A. Applying security patches\n                  is critical for securing LAN-A and protecting sensitive data from\n                  unauthorized access, manipulation, and misuse.\n\n                  Inadequate management of privileged accounts, weaknesses\n                  identified in patch management, and\n\n\n                                These weaknesses may allow malicious users to\n                  bypass or disable computer access controls and undertake a wide\n                  variety of inappropriate or malicious acts.\n\n         Recommendations\n         We recommend that the Under Secretary for Management, direct the Chief\n         Information Officer to:\n\n                  Recommendation #5: Establish a process to ensure that LAN-A\n\n\n\n\n                  Recommendation #6: Ensure that the authorization for privileged\n                  LAN-A access is documented, reviewed and approved by\n                  appropriate officials.\n\n                  Recommendation #7: Develop a documented process to deploy\n                  security patches on LAN-A.\n\n                  Recommendation #8:\n\n\n         Management Comments and OIG Analysis\n                  DHS concurred with recommendation 5. DHS noted that the\n                  policies that govern privileged accounts need to be stricter than\n                  those of regular user accounts. In addition, DHS\n\n\n\n\nBetter Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                        Page 14\n\x0c                  We agree that the steps DHS are taking, and plans to take, begin to\n                  satisfy this recommendation.\n\n                  DHS concurred with recommendation 6. DHS noted that the\n                  department has established a process to ensure that the requests for\n                  privileged LAN-A accounts are documented, reviewed, and\n                  approved by appropriate officials. DHS also acknowledged that\n                  more resources must be dedicated to auditing this process.\n                  Currently, all request/business justifications for privileged\n                  accounts must be submitted to the helpdesk via a Privileged\n                  Account Request (PAR) through the requestor\xe2\x80\x99s immediate\n                  supervisor, approved by the government lead of Operations, and\n                  then approved by the LAN-A Security Manager. Beginning in the\n                  third quarter of FY 2009, DHS will perform a bi-monthly audit of\n                  privileged accounts to ensure that no accounts were created outside\n                  of this process. In addition, DHS will establish a one year\n                  expiration date for all PARs and will require customers to re-apply\n                  through the approval process if the requirement for said account\n                  still exists.\n\n                  We agree that the steps DHS are taking, and plans to take, begin to\n                  satisfy this recommendation.\n\n                  DHS concurred with recommendation 7. DHS noted that a draft\n                  copy of the standard operating procedures for deploying security\n                  patches on LAN-A was provided to the OIG during the audit. In\n                  order to have an effective patch management process, DHS\n                  acknowledged that the draft procedures require revision to include\n                  branch manager approval, and consistent execution. Finally, DHS\n                  maintained that security patches are being applied on LAN-A as\n                  only a few missing security patches were identified during the\n                  audit.\n\n                  We agree that the steps DHS are taking, and plans to take, begin to\n                  satisfy this recommendation.\n\n                  DHS concurred with recommendation 8.\n\n\n\n\nBetter Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                        Page 15\n\x0c                          We agree that the steps DHS are taking, and plans to take, begin to\n                          satisfy this recommendation.\n\nCompliance with DHS Information Security Program\n                          LAN-A program officials do not ensure that security documents\n                          required by the department, e.g. system security plan, plan of\n                          action and milestones (POA&Ms), etc, are periodically updated\n                          and contain the necessary information for the DAA to make a\n                          credible decision to re-certify and accredit LAN-A.4 DHS and\n                          NIST require that security documents be included as part of the\n                          accreditation package and be updated periodically.\n\n                          According to NIST guidance, the certification & accreditation\n                          process, when applied to agency information systems, provides a\n                          systematic approach to assess whether the management,\n                          operational, and technical security controls are effectively\n                          implemented. Status reporting and periodic update of security\n                          documentation is one of the tasks that must be performed during\n                          the continuous monitoring phase. The purpose of status reporting\n                          and maintaining security documentation current is to: (1) update\n                          the system security plan to reflect the proposed or actual changes\n                          to the information system; (2) update the POA&Ms based on the\n                          activities carried out during the continuous monitoring phase; and\n                          (3) report the security status of the information system to the\n                          authorizing official and senior agency information security officer.\n\n4\n  According to applicable NIST guidance, continuous monitoring of security controls and updating system\ndocumentation is a critical aspect of the certification & accreditation process in the post-accreditation\nperiod. The purpose of this phase is to provide oversight and monitoring of the security controls in the\ninformation system on an ongoing basis and to inform the authorizing official when changes occur that may\nimpact the security of the system. Continuous monitoring results should be documented and reported to the\nauthorizing official on a regular basis. The monitoring results should also be considered when making\nupdates to the system security plan and to the POA&Ms because the authorizing official and the\ncertification agent will use these security documents to make the accreditation decision.\n\n       Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                                Page 16\n\x0c                  The activities in this phase are performed continuously throughout\n                  the life cycle of the information system.\n\n                  After the original accreditation expired in July 2008, the DAA\n                  granted an authority to operate (ATO) of six months to LAN-A.\n                  However, even though the DAA was not given the most updated\n                  and credible information to reaccredit the network, LAN-A was\n                  reaccredited anyway. For example, the system security plan has\n                  not been updated since LAN-A was accredited in July 2005. For\n                  FISMA reporting purposes, the Chief Information Officer reviews\n                  accreditation packages for all information systems for compliance\n                  with applicable DHS and NIST guidance. After reviewing the\n                  accreditation package for LAN-A, the Chief Information Officer\n                  did not accept the accrediting official\xe2\x80\x99s ATO because the network\n                  was reaccredited without the required security documents. In its\n                  Fiscal Year 2008 FISMA submission to the Office of Management\n                  and Budget, the Chief Information Officer reported that LAN-A\n                  was one of the systems without an ATO.\n\n                  In a November 2008 meeting, a program official indicated that\n                  DHS was in the process of defining a new system boundary for\n                  LAN-A and reaccrediting the network. According to the program\n                  official, the required security documents are being developed in\n                  accordance with applicable DHS and NIST guidance.\n\n                  DHS requires security documents to be part of the accreditation\n                  package and be updated periodically. Specifically, DHS requires\n                  the following 11 documents to support the accreditation decision:\n                  ATO letter, system security plan, security assessment report, risk\n                  assessment, security test and evaluation, contingency plan,\n                  contingency plan test results, Federal Information Processing\n                  Standard 199 determination, e-authentication determination,\n                  privacy threshold analysis, and NIST Special Publication 800-53\n                  assessment.\n\n                  Understanding the overall effectiveness of security controls for an\n                  information system is essential in determining the risk to DHS\xe2\x80\x99\n                  operations and assets. Without the updated security documents,\n                  program officials cannot make credible risk-based decisions on\n                  whether to authorize systems to operate or ensure that systems are\n                  adequately secure.\n\n\n\n\nBetter Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                        Page 17\n\x0c         Recommendations\n         We recommend that the Chief Information Officer direct the LAN-A\n         Information Systems Security Manager to:\n\n                  Recommendation #9: Develop all required security documents\n                  according to applicable DHS and NIST guidance before LAN-A is\n                  reaccredited.\n\n                  Recommendation #10: Maintain and update periodically security\n                  documents that support LAN-A\xe2\x80\x99s accreditation.\n\n         Management Comments and OIG Analysis\n                  DHS concurred with recommendation 9. LAN-A program\n                  officials acknowledge the need and intent to verify that all\n                  appropriate and applicable security documents are completed for\n                  LAN-A\xe2\x80\x99s re-accreditation. However, the program officials\n                  believed that the network was accredited in accordance with NIST\n                  standards. After a security assessment was performed in\n                  July 2008, program officials maintained that the DAA had a\n                  reasonable measure of risk and decided to accredit LAN-A for a\n                  short period of time. The program officials added that LAN-A\xe2\x80\x99s\n                  accreditation was consistent with NIST guidance which allows the\n                  DAA to make a reasonable assumption of risk based on the\n                  information presented to support the decision.\n\n                  Without the required security documents, we maintain that\n                  LAN-A\xe2\x80\x99s July 2008 accreditation was not consistent with\n                  applicable DHS and NIST guidance. In particular, NIST requires\n                  that the system security plan be provided to the DAA, as part of the\n                  accreditation package, along with the results from the security\n                  assessment to make a credible, risk-based decision on whether to\n                  accredit the system. The system security plan can also contain, as\n                  supporting appendices or references to other key security\n                  documents, such as the risk assessment, privacy impact\n                  assessment, contingency plan, incident response plan,\n                  configuration management plan, security configuration checklists,\n                  and any system interconnection agreements. At the time LAN A\n                  was accredited in July 2008, all security documents were outdated.\n                  As a result, the DAA did not have the necessary information to\n                  make a credible decision to certify and accredit the LAN A.\n\n                  DHS concurred with recommendation 10. DHS has divided the\n                  network into four manageable general support systems and will\n\nBetter Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                        Page 18\n\x0c                  ensure each is fully documented. Accreditation packages will be\n                  developed for each system, and maintained and updated\n                  periodically.\n\n                  We agree that the steps DHS are taking, and plans to take, begin to\n                  satisfy this recommendation.\n\n\n\n\nBetter Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                        Page 19\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n\n                       The objective of this review was to determine whether DHS is\n                       effectively managing its headquarters\xe2\x80\x99 local area network, known\n                       as LAN-A. Specifically, we determined whether: (1) the\n                       contractor provided adequate support services according to the\n                       contract terms; (2) effective controls have been implemented to\n                       protect the network; and (3) FISMA requirements have been\n                       implemented.\n\n                       We interviewed selected personnel at DHS headquarters; data\n                       centers located at Clarksville, Virginia, and Stennis Space Center,\n                       Mississippi; and IT-NOVA Service Desk Operations at\n                       Indianapolis, Indiana. In addition, we reviewed and evaluated\n                       DHS security policies and procedures, the IT-NOVA task order,\n                       and other appropriate documentation. During the audit, we used\n                       software tools, such as NESSUS and NMAP to detect, analyze,\n                       and evaluate the effectiveness of controls implemented on selected\n                       servers, workstations, and switches. Upon completion of the\n                       assessments, we provided program officials with the technical\n                       reports detailing the specific vulnerabilities detected on LAN-A\n                       network devices and the actions needed for remediation\n\n                       We conducted this audit between July and December 2008\n                       according to generally accepted government auditing standards.\n                       Those standards require that we plan and perform the audit to\n                       obtain sufficient, appropriate evidence to provide a reasonable\n                       basis for our findings and conclusions based on our audit\n                       objectives. We believe that the evidence obtained provides a\n                       reasonable basis for our findings and conclusions based on our\n                       audit objectives. Major OIG contributors to the audit are identified\n                       in Appendix C.\n\n                       The principal OIG points of contact for the evaluation are Frank\n                       Deffer, Assistant Inspector General, Office of Information\n                       Technology, at (202) 254-4041 and Edward G. Coleman, Director,\n                       Information Security Audit Division, at (202) 254-5444.\n\n\n\n\n     Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A \n\n\n                                             Page 20 \n\n\x0cAppendix B\nManagement Comments\n\n\n\n\n    Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A \n\n\n                                            Page 21 \n\n\x0cAppendix B\nManagement Comments\n\n\n\n\n    Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A \n\n\n                                            Page 22 \n\n\x0cAppendix B\nManagement Comments\n\n\n\n\n    Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A \n\n\n                                            Page 23 \n\n\x0cAppendix B\nManagement Comments\n\n\n\n\n    Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A \n\n\n                                            Page 24 \n\n\x0cAppendix C\nMajor Contributors to this Report\n\n\n                        Information Security Audit Division\n\n                        Edward Coleman, Director\n                        Chiu-Tong Tsang, Audit Manager\n                        Mike Horton, IT Officer\n                        Barbara Bartuska, Audit Manager\n                        Maria Rodriguez, Team Lead\n                        Aaron Zappone, Program Analyst\n                        Charles Twitty, IT Auditor\n                        Kristina Hayden, Program Analyst\n                        Amanda Strickler, IT Specialist\n                        Nazia Khan, IT Specialist\n                        Thomas Rohrback, IT Specialist\n                        David Bunning, IT Assistant\n\n                        Karen Nelson, Referencer\n\n\n\n\n      Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                              Page 25\n\x0cAppendix D\nReport Distribution\n\n\n                        Department of Homeland Security\n\n                        Secretary\n                        Acting Deputy Secretary\n                        Chief of Staff for Operations\n                        Chief of Staff for Policy\n                        Acting General Counsel\n                        Executive Secretariat\n                        Assistant Secretary for Policy\n                        Assistant Secretary for Office of Public Affairs\n                        Assistant Secretary for Office of Legislative Affairs\n                        Chief Information Officer\n                        Deputy Chief Information Officer\n                        Chief Information Security Officer\n                        Director, Compliance and Oversight\n                        Director, GAO/OIG Liaison Office\n                        Chief Information Officer Audit Liaison\n                        Chief Information Security Officer Audit Manager\n\n                        Office of Management and Budget\n\n                        Chief, Homeland Security Branch\n                        DHS OIG Budget Examiner\n\n                        Congress\n\n                        Congressional Oversight and Appropriations Committees, as\n                        appropriate\n\n\n\n\n      Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n                                              Page 26\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'